This week, a flurry of amendments were introduced to try to salvage the Cyber Information Sharing and Protection Act (CISPA), a “cybersecurity” bill moving through the house that’s been criticized as giving companies free rein to spy on personal communications and pass unredacted content (like emails) to the government. Though numerous amendments were suggested, a package of five amendments were put together by the bill’s primary author Mike Rogers (R-MI) and are likely to get accepted without much debate. Below is an overview of what’s in the Rogers package and how it fails to address the grave civil liberties concerns inherent in CISPA.
Before we dive into our analysis, it’s worth noting that this bill has faced a storm of controversy since EFF and other civil liberties advocates launched a week of action 11 days ago. This week, a group of security experts voiced concerns about the civil liberties concerns in the bill. The Free Market Coalition criticized the bill as “unduly expanding federal power, undermining freedom of contract, and harming U.S. competitiveness in the technology sector.” Presidential candidate Ron Paul was equally critical, calling CISPA “Big Brother writ large.” And President Obama has sided with the civil liberties groups. In a statement issued yesterday, the Administration stated that “Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet.” It also warned that if CISPA were to arrive at the President’s desk in its current state, “his senior advisers would recommend that he veto the bill.”
Rogers’ Amendment Package: Not Nearly Enough to Assuage Civil Liberties Concerns
View all of Rogers’ proposed amendments here.
Minimization Retention and Notification Amendment This amendment has a somewhat misleading title because it does little to actually “minimize” the retention of sensitive user data. In short, the amendment states that if a department or agency receives information that actually isn’t related to cyber security threats, they shall “notify” the entity that gave them the information. This amendment also says that data won’t be kept for purposes other than what has been outlined in the bill—but doesn’t actually narrow the expansive reasons that data can be kept.
The bill also states that the government “may” choose to “undertake reasonable efforts to limit the impact on privacy and civil liberties.” There’s no mandate to do so and no explanation of what constitutes “reasonable efforts.”
Definitions Amendment—We’ve been highly critical of the overbroad ways in which “cyber security” is defined in the bill. We’re concerned that typical privacy-protective measures like using Tor or pseudonyms might be deemed “cyber threat information” under the vague definitions of CISPA. The good news is that this amendment excludes intelligence pertaining to efforts to gain unauthorized access that “solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.” This is a step in the right direction because at least signing up for Facebook with a pseudonym is unlikely to get you reported to the FBI for attempting to gain “unauthorized access.”
Unfortunately, this amendment doesn’t address the serious problems with the vague definitions. Even after amendments, “Cybersecurity system" defines the system that “cybersecurity providers” or self-protected entities use to monitor and defend against cyber threats. This is a “system” intended to safeguard “a system or network.” The definition could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD. It might easily be stretched to be a catch-all term with no meaning. For example, it is unclear whether DRM on a DVD constitutes a “cybersecurity system.” And such a “cybersecurity system” is defined to protect a system or network from “efforts to degrade, disrupt or destroy”—language that is similarly too broad. Degrading a network could be construed to mean using a privacy-enhancing technology like Tor, or a p2p protocol, or simply downloading too many files.
the bill creates expansive legal immunity that makes companies and the government largely unaccountable to users. The bill provides “good faith” immunity for using “cybersecurity systems” to obtain information, for not acting on information that a company learns, and for making any decisions based on the information they learn. If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted “in good faith” according to CISPA. Companies “acting in good faith” are also excused from all liability for engaging in potential countermeasures, even if they hurt innocent parties.
So what did Rogers do to address these egregious issues? He changed the phrase “for using cybersecurity systems or sharing information in accordance with this section” to “for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information.”
Basically, he didn’t fix it at all.
Limitation Amendment Frankly, this amendment doesn’t address any of the civil liberties concerns. It states: “Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, any entity to use a cybersecurity system owned or controlled by the Federal Government on a private-sector system or network to protect such private-sector system or network.’’ We suspect that this amendment is attempting to address the issue of black-box style network intrusion detection systems like Einstein being placed on private networks. However, this amendment doesn’t actually prohibit privately owned versions of Einstein being placed inside of networks – it just said that there’s “no additional authority” to do so.
Use Amendment The final amendment has to deal with the usage of data collected under cybersecurity programs. Under the current version of CISPA, although data collected by companies may only be shared for “cybersecurity” purposes, the government can use it for unrelated purposes because the bill allows the government to use it for “national security purposes." Provided “at least one significant purpose” is a cybersecurity or national security purpose, it may be used for other unrelated purposes. The only other restriction on the data is that it not be used for “regulatory” purposes—a term the bill leaves undefined.
The amendment narrows this usage—but not nearly enough. It still allows data collected under cyber security programs to be used for cybersecurity purposes, for the investigation and prosecution of cybersecurity crimes, to protect individuals from death or serious bodily harm, for protecting minors from child pornography or other sexual exploitation or serious threats to their physical safety, and for national security.
“National security” is at best a nebulous term—and, at worst, a catch-all excuse for government snooping. As we’ve explained in our recent post on the topic, “the amorphous phrase 'national security' has invaded many arenas of government action, and has been used to justify much activity that did not involve legitimate terrorist threats. The most obvious (and odious) example is the unfortunately named USA-PATRIOT Act, a law that was sold to the American public as essential to combating terrorism, but which has overwhelmingly been applied to ordinary American citizens never even suspected of terrorism.”
There are several other amendments that are going to be considered, but it’s unclear whether those will be successful and EFF doesn't believe those amendments can ameliorate the core civil liberties concerns with this legislation—namely, the overriding of all existing privacy law to allow companies to share sensitive user data with the government. For now, we’re calling on the Internet to continue to call, email, and tweet at their Representatives urging them to support privacy-protective amendments and oppose CISPA as a whole.